Best way for automatic creation of Linux FDE VMs with secure boot and VTPM using IaC
-
Hi there,
I have researched the forum but i can not find a reply to my issues so far. At work i need to automatically and quickly create new VMs either via ansible or Terraform/Opentofu.
Rerquirements:- Full disk encryption.
- Clevis /tang for additional security.
- SecureBoot support.
Problems are the following.
- Found I can enable secure boot in ansible with
custom_params:- key: 'platform'
value:
secureboot: 'true'
Is there a similar parametr to enable VTPM in ansible using community.general.xenserver_guest?
Or I can only enable it via xe-cli: xe vtpm-create vm-uuid=<uuid>?
- key: 'platform'
- Is there a command for terraform/Opentofu provider to enable secure boot/vtpm? I can not find it.
- It does not belong to xcp, but maybe someone knows. It is preferable to have both boot and root partitions encrypted and at the same time allow automatic creation and start of VMs via IaC tools. If grub2 with encrypted boot partition (linux ubuntu) is used, it requires manual password input for cryptomount module. After it initramfs can load clevis module and root partition is decrypted via tang server. Is there some way to allow autodecrypt of the boot partition via VTPM on this pre-load stage?
I thought about using unified kernel image, but I do not like the idea it is stored in not encrypted efi partition. Also default cloud-config is forced to install grub as bootloader and fails if it cant. I am looking for a solution to create many vms with either encrypted boot and root partitions or with UKI and encrypted root partition without boot partition at all. This all in completely automated way. I already have a similar working setup, but with unencrypted boot partiotion. Any advice is highly appreciated. Thank you!
-
And one more thing, now If I use ansible, I have to create a raw disk with cloud-init config (iso cd-rom is occupied by Linux installation image). If i just indicate disk as a part of a new VM during its creation it will not see its contents.
- name: Creating VMs
community.general.xenserver_guest:
hostname: '{{ xenserver_host }}'
username: '{{ xenserver_user }}'
password: '{{ xenserver_pass }}'
validate_certs: true
name: '{{ item.value.vm_name }}'
...
disks:
- name: '{{ item.value.hd_name }}'
size_gb: '{{ item.value.hd_size_gb }}'
sr: '{{ item.value.sr_name }}'
At this stage if i add 2nd disk with cloud-init config, VM does not see its content and autoinstall does not start. I have to create vbd after a new VM is created:
xe vbd-create vm-uuid={{ item.1 }} vdi-uuid={{ item.0 }} device=1 bootable=false mode=RW type=Disk
Something like this. Only after it I can start VM. Only after it it sees cloud-init config. In this scenario I can not use wait_for_ip_address function, which i do really need to automatically trigger another playbook with guest OS setup.
Is there some way to attach cloud-init image or supply cloud-init config same way as it is done in terraform right at the VM creation stage?
- name: Creating VMs
-
I think what you seek is Packer, because I'm not aware of our Ansible plugin able to create VMs, it's a inventory plugin.
-
@olivierlambert thank you for reply.
https://docs.ansible.com/ansible/latest/collections/community/general/xenserver_guest_module.html
I meant this module. It allows to create vms, but with limited capabilities. -
I wasn't aware of this plugin even existing (thanks for the discovery). I'm not sure it's really maintained, but we have a clear goal of getting one officially maintained anyway.